Pages

Friday, August 31, 2012

Earlier this week (Wednesday I think, but I was basically
without internet service due to Isaac) the folks at the Help Desk for ISCD
updated one of the responses to a frequently asked question (FAQ) about the
Chemical-terrorism Vulnerability Information (CVI) program, FAQ # 1588 (Note: Normally
I would provide a copy of the link to this information, but the FAQ links are
not permanent links. To access this FAQ# use the search engine on the CFATS
Knowledge Center page). The change updated the link to the CVI website.

A special note to the ISCD folks: There is no mention
of this FAQ update anywhere on the CFATS Knowledge
Center page. You have to use the search tools to find that it was updated.
Now most people who use this information will be probably be using the search
feature, so I guess it isn’t too big of an issue. I would like to suggest,
however, that any change to a FAQ response should be mentioned in the ‘Latest
News’ section of the page.

(OOPS I got the acronym wrong in the title and no one called me on it, Corrected 09-01-12 8:30 EDT)
This morning the folks at DHS NPPD posted
links to many of the presentations made at last month’s Chemical Sector
Security Summit. I have a feeling that I saw the page just after it went live
because none of the links are active yet (as of 06:15 EDT). I’m still hoping
against hope that at least some of the links are to videos of the presentation
instead of just the slide shows as DHS has done in the past.

In any case, once the links are live (and I’ll note that on
my TWITTER feed (http://twitter.com/pjcoyle
when I see it) there are a number of presentations that should, hopefully,
provide some interesting information. Ones that I’ll particularly watch for
(and probably report on here) are:

Tuesday, August 28, 2012

I’ve recently written a couple of blog posts about Sen.
Grassley’s (R,IA) new found interest in the CFATS program problems (8-3-12,
8-7-12,
8-22-12).
Since Grassley is the Ranking Member of the Senate Judiciary Committee I have
been trying to figure out his interest in investigating the problems at ISCD; after
all his Committee has no specific NPPD or security oversight responsibilities.

Jurisdiction

I have looked at the Committee’s web site and its description of
the jurisdiction of the Committee. There doesn’t seem to be anything there
that would be directly applicable to the problems at ISCD. So I started asking
around and have been told by a couple of people that the Committee has
historically taken its oversight of the Department of Justice to include the responsibility
for looking into criminal activity within the government that one would expect
that the DOJ should be investigating.

Illegal Activity?

Now the cronyism charge made by the anonymous reader that I
described in my latest Grassley related post, could be seen as a violation of
one or more of the Civil Service rules applicable to the hiring of an ISCD
Director, but that is a bit of a stretch to consider that worthy of a Senate
Judiciary Committee investigation. Lying to Congress about the status of the
CFATS implementation could be a serious charge, but one would be hard pressed
to prove that the statements before various committee hearings by Under
Secretary Beers or various ISCD personnel over the years were actual lies
rather than political spin.

Now there might be something that we haven’t seen mentioned
in the press yet that might provide fodder for such an investigation. It seems
that someone at NPPD (most likely Beers, I suppose) ordered an investigation
into the leak of the Anderson-Wulf memo to Fox News. Now a leak investigation
would certainly be appropriate, but it seems that the investigation was
conducted by investigators from the Federal Protective Service; sworn law
enforcement personnel. Those investigators were getting sworn statements from
everyone in ISCD stating that they were not the source of the leak. And
everyone was reminded that falsely swearing to Federal law enforcement officers
is a Federal offense in its own right.

To me that seems to be a possible abuse of power, but not
really illegal. A couple of people have told me (not for attribution
unfortunately) that it is actually against the law, but no one has provided me
with a cite for the law that is being broken, so I don’t really know. If it is
it seems odd that Grassley or his anonymous reader friend has mentioned any investigation
into this matter.

General Malfeasance

Then again, committees in both the House and Senate have a
tendency to make up their rules as they go along, guided by political
expediency more than actual written policy. That may make the general
malfeasance described in my second Grassley post an adequate justification for
a Senate Judiciary Committee investigation; especially since it came from a ‘whistleblower’.

Outside Investigation

Since Chairman Leahy (D,VT) and Grassley were both
re-elected last year, this certainly won’t be about election year
grand-standing. Any investigation carried out by the Committee will probably
not see hearings until after the election. The people that I have talked to in
Washington have been fairly generous of their praise in the investigators on
the Judiciary Committee Staff; if there is some serious wrong doing to be found
they will likely find it.

Unfortunately, they will be looking for illegal activities
or official malfeasance, not real problems with the CFATS program. I’m afraid
that we’ll have to wait for the House and Senate Homeland Security Committees
to look into that. Or perhaps the House Appropriations Committee will be the
one to take a real look; they have yet to complete their
hearing on the ISCD problems.

Monday, August 27, 2012

This is an interesting film from a local TV
station (Fox8.com) of a tanker of isobutane exploding on Interstate 10 in
Baton Rouge, LA last week. The tanker was deliberately exploded by authorities
after it was rear-ended in a freeway accident and its unloading line was
damaged and leaking. There had been numerous attempts made to unload the
damaged trailer, but they had been unsuccessful; leaving the authorities with
no choice but to detonate the trailer in place.

Planned Detonation

Needless to say the freeway was blocked off and local homes
and businesses were evacuated as a precaution well before the detonation. Fire
crews were in place and the plan for fighting the fire was worked out in
advance. Even with all of the precautions that were taken, it took fire
fighters almost two hours to put the fire out.

It looks to me that the explosives that were used were
emplaced to direct the main force of the explosion upwards. This would have
been done to minimize the potential for flames to spread beyond the confines of
the freeway. The folks that did this really knew what they were doing.

Security Lessons

This video should be viewed by all security managers for
chemical facilities that receive flammable liquids and flammable gasses. It
gives a very good idea of the extent of the fireball from a tank wagon that has
been turned into a vehicle borne improvised explosive device (VBIED). Security
processes, procedures and protective measures need to take into account the
extent of fire ball seen in this video. It should also take into account that
it took fire department teams two hours to control the flames when they had equipment
on site ready and prepared to act.

Tank Wagons as Terror Weapons

The next security issue takes just a little more
imagination. Instead of this occurring on a closed Interstate with the
surrounding buildings evacuated for a safe distance in advance, watch the video
and try to imagine the freeway being packed with rush hour traffic. Imagine
that fireball covering the adjacent lanes and engulfing every car around the
truck in both directions to the extent of the fireball. Then imagine the
effects of the secondary fires and explosions as those cars burst into flames.

Then imagine the traffic behind those cars plowing into the
fire ball and contributing their own impressive fireworks to the conflagration.
The cars that are able to stop before running into the actual flames may still
feel the effects of the blast over pressure and flash burns. Some of those cars
will burst into flames because the high temperature of the fire will heat combustible
and flammable materials to their autoignition temperatures.

Most of the vehicles will be able to stop beyond the direct
effects of the fires and explosions, but they will face hazards of their own. In
any freeway accident at rush hour there will be multiple collisions because
drivers were following too close, driving too fast, were distracted by other
things going on, or, in this case in particular, were stunned by the visual
effects to their front. The freeway will quickly become a parking lot.

If the person with the detonator switch in hand was
sufficiently devious, the tanker would have been underneath an overpass when
the contents were detonated. While the overpass structure would have protected
most of the traffic above from the direct effects of the blast, the accidents
and the casualties would be significant.

More importantly, the fire could weaken the structure of the
overpass enough to make it unsafe for traffic for weeks and months to come. The
potential damage to the roadway underneath and around the truck might also
prevent its use for extended periods of time. The immediate effects of the
attack would affect the community for months; quite a successful terrorist
attack.

HAZMAT Trucking Security Rules

TSA does not currently have any regulatory power over the
security of the trucking industry. They do have a few unofficial programs in
place to look at corporate security planning and risk assessment, but no
authority to require even the basic security measures.

The Pipeline and Hazardous Material Safety Administration
(PHMSA) does have a regulatory program (49
CFR §172.800) that addresses security for certain hazardous materials
shipped by truck. The program is vague with little in the way of descriptions
of what types of risk need to be addressed or what types of security measures
might be required.

Section 172.802 describes the security plan this way:

“The security plan must include an assessment
of transportation security risks for shipments of the hazardous materials
listed in § 172.800, including site-specific or location-specific risks associated
with facilities at which the hazardous materials listed in § 172.800 are
prepared for transportation, stored, or unloaded incidental to movement, and
appropriate measures to address the assessed risks. Specific measures put into
place by the plan may vary commensurate with the level of threat at a
particular time.”

It does require that the plan address (in the most general
terms) the following topics:

• Personnel security {§172.802(a)(1)};

• Unauthorized access {§172.802(a)(2)};
and

• En route security {§172.802(a)(3)}.

Carriers are required to have copies of these security plans
on file at their corporate headquarters where they may be inspected by PHMSA
inspectors or their State counterparts. Since those inspectors are safety
inspectors it is hardly likely that they have received any significant security
training to equip them to provide a knowledgeable review of the provisions. One
would assume that they might actually ask to see these plans on occasion and
would be satisfied if they were present.

The question becomes, is this adequate to prevent attacks
like the one I described above? The answer is left as an exercise for the
student……

Sunday, August 26, 2012

This is the final blog in a series taking a critical look at
the recent
Heritage Foundation report on the problems with the CFATS program. While
the report authored by Jessica Zuckerman is not up to the usual editorial
standards of the Heritage Foundation it does raise some interesting issues. The
earlier blog posts can be found here:

The final section of the Heritage Foundation report on the
CFATS program is called “Developing Market-Oriented Chemical Security Solutions”.
As one would expect with a concluding section of a report it summarizes the
author’s conclusions. This post will address those conclusions and some of the
other shortcomings of the report.

Report Conclusions

Here is my summary of those conclusions (okay, I stole them
from the subheading in the section):

• Take a truly risk-based approach
to chemical security;

• Reject calls for greater regula­tion;

• Expand SAFETY Act protec­tions to
encourage greater inno­vation;

• Promote public–private part­nerships
to enhance aging U.S. infrastructure; and

• Foster greater transparency and
cooperation.

I have dealt with most of these conclusions in earlier the
earlier posts on this report, so I will not dwell on them further here. There
is one new area found in this concluding section that it not addressed anywhere
else in the report and that is the one dealing with ‘aging U.S. infrastructure’.
It is a shame that Ms. Zuckerman forgot to address this issue in the body of
her report because she may have made a potential contribution to the discussion
of chemical facility security. Unfortunately, we are left with glittering
generalities such as:

“The United States’ overall
critical infrastruc­ture, including the chemical sector, is inadequate and
aging. Greater investment is needed not only to ensure that U.S. critical
infrastructure is protected but that it is capable of bouncing back quickly
when disaster strikes.” (pg 10)

In general there is more than a little truth in the
description of critical infrastructure as ‘aging’ and ‘inadequate’ covers a
wide range of perceived and actual problems. The conclusion that ‘greater
investment is needed’ is hardly revolutionary, but it begs the question of
where the money is going to come from for that investment. This issue is one
that deserves a whole host of reports about specific areas of infrastructure,
public and private, that could have a potential effect on chemical facility
security.

Industry Response

One would be forgiven for concluding, after reading this
report, that industry was widely disillusioned with the CFATS program and
wanted to see it replaced with a radically different program. This is never
specifically stated in the report, but Ms. Zuckerman does repeatedly talk about
the burdens that the program places upon industry.

In the last couple of days, however, the chemical industry
has started to respond to this report, and it hasn’t been favorable. An article
over at NTI.org (Government Security Newswire, GSN) quotes representatives from
two of the largest organizations representing chemical facility owners, the
American Chemistry Council (ACC) and the Society of Chemical Manufacturers & Affiliates (SOCMA) as being
generally supportive of continuing the CFATS program. They acknowledge problems
with the current implementation, but support the basic premise and design of
CFATS.

These two organizations certainly don’t represent all of the
chemical facilities that are covered under CFATS, but I would be willing to bet
that they cover a majority of the Tier 1 and Tier 2 facilities that are having
to spend the greatest amount of money on upgrading the security measures at
their facilities to comply with the program.

Now part of that support is simply fear of the unknown. Not
knowing what type of program would replace CFATS, and Ms. Zuckerman provides
nothing beyond glittering generalities, industry would rather deal with the
devil they know than accept the potential for an entirely new program.

Given the fact that Congress has been unable to craft
comprehensive chemical security legislation since 2001, it is unlikely that it
would be able to do so any time in the foreseeable future. Eliminating the
CFATS program would leave a void with unpredictable consequences. The GSN
article notes that industry fears that an EPA based program might result in
requiring IST implementation. What is even more likely is that several State
and local governments, no longer restricted by the supremacy of the CFATS
program, would craft a patchwork of local regulations that would leave selected
facilities with onerous requirements (certainly including IST provisions in
many localities) while leaving their competitors with no regulations.

Areas That Were Not Addressed

There are a number of problem areas in the CFATS program that
were glossed over, minimally mentioned, or completely ignored in this report.
While I have addressed most of these in some details in various posts over the
years, I would like to take this opportunity to mention some of the more
important ones (in my opinion) so that future researchers might have a better
chance of preparing a report that deals with actual issues and problems in the
CFATS implementation.

CFSI

Ms. Zuckerman briefly mentions the problem with the
qualifications of Chemical Facility Security Inspectors (CFSI). The initial members
of the CFSI were drafted from the Federal Protective Service. These were law
enforcement personnel with a background in physical security, they had little
or no background in dealing with chemical facilities. The folks at ISCD
realized this problem and established a Chemical Security Academy. I did an
initial blog posting on that topic a number of years ago. Since then I have
done a number of other blog postings on the issues related to training of CFSI.
They include topics such as:

Armed Security Forces

A number of commenters on the Anderson Memo about the
problems associated with the current CFATS program have taken particular issue
with the problem of current CFSI who started out as sworn law enforcement personnel
wanting to continue carrying their side arms. Leaving aside for the moment the definition
of enforcement in the CFATS environment, the failure of ISCD to address the
issue of the use of armed security personnel to stop terrorist attacks on
high-risk chemical facilities is a much unnoticed failing of the program. I
have dealt with this issue in a number of blog posts:

SSP Shortcomings

The biggest current problem with ISCD is their apparent
inability to effectively authorize any Site Security Plans. While many commenters
have noted this problem, no one has attempted to determine the root cause.
While I have not had the opportunity to do a detailed study of the problems on the
ground, it is clear from the limited comments we have heard from DHS and the
inspected community that there is a serious shortcoming with the current SSP
tool in CSAT; it is not adequately soliciting the information needed by ISCD to
conduct a paperwork evaluation of the programs at the facility.

Any security professional that looks at the questions
asked in the SSP tool would realize that the level of detail required for
an adequate assessment of the security plans at the facility would not be
provided by those questions as asked. This has resulted in DHS establishing the
Pre-Authorization Inspection program where presumably the CFSI are tasked with
seeking out the necessary information.

I
have addressed the ways that this problem might be addressed by facilities
in submitting their SSPs, but it seems to me that the SSP tool needs a fairly
extensive revision if it is ever going to provide the level of detail necessary
for ISCD or its contractors to evaluate the security planning at CFATS covered
facilities. Lacking that ISCD should institute a program where they send a
detailed letter to the facility seeking the specific information they need to
make their evaluation rather than sending the CFSI out to get the information.

Personnel Surety

While there are any number of other security related issues
that might be addressed by any reasonable revamp of the administration of the
CFATS program, I’ll just address one more in this posting, the lack of an
approved personnel surety program. RBPS
#12 requires facilities to conduct background checks on all facility
employees and contractors and any visitors requiring unaccompanied access to
critical areas of the facility. The provisions for checking identity, criminal
history and legal authorization to work can be adequately complied with by
using any of a number of commercial organizations to conduct background
investigations. The one area that cannot be accomplished by such organizations
is the identification of people with terrorist ties.

The failure of ISCD to come up with a reasonable program for
allowing facilities to have ISCD or some other agency of DHS to vet personnel
against the Terrorist Screening Database is inexcusable. Such a program should
allow for the use of any of the currently available TSA vetted identification
programs (TWIC, HME, etc) and/or provide a simple method of submitting
individual information to ISCD for such vetting. ISCD tried to make their
program much more complicated than was necessary. Since that program was recently
withdrawn, ISCD’s delay in getting such a program established will continue
to put off establishing a terrorist screening program for an even longer period
of time.

Moving Forward

ISCD and the CFATS program have a number of challenges and
problems to overcome. Documents that are purportedly comprehensive looks at the
program like this Heritage Foundation report could provide a basis for the discussion
of how to move proceed with developing a workable chemical security program for
high-risk chemical facilities. Unfortunately, Ms. Zuckerman did little to move
the discussion forward.

The Pipeline Safety and Hazardous Material Safety
Administration post a 60-day notice in the Federal register (77 FR 51848-51849)
of their intent to renew two information collection requests (ICRs) that were
approved earlier this year to allow data collections mandated in two recently
approved pipeline safety rules on control room management (2137-0624)
and integrity management for gas distribution pipelines (2137-0625).
The current ICR approvals expire on January 31st, 2013.

There is a major change in the record
keeping burden numbers being reported in the control room management ICR. The
current ICR predicts 2,702 annual responses will be required under these
reporting requirements and estimates that the data collection and reporting for
those responses will take 127,328 hours. This notice reports the
same number of responses but greatly increases the burden hours to 1,018,807
hours (77FR 51849), an eight-fold increase in the burden to 377 hours per
response. No explanation is given for this increase.

PHMSA is soliciting public comments on the renewal of these
two ICRs. Comments can be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2012-0215).
Comments need to be submitted by October 26th, 2012.

Saturday, August 25, 2012

The Coast Guard is publishing in Monday’s Federal Register
(available online today) a notice
(77 FR 51817-51818) announcing the upcoming two-day meeting of the National
Maritime Security Advisory Committee on September 11th and 12th
in Washington, D.C.. This meeting will cover chemical security and
cybersecurity topics along with the typical maritime topics.

Topics of specific interest to the chemical and
cybersecurity communities include:

Cybersecurity

The information provided on the cybersecurity topic of the
agenda is more than a little vague. It states that:

“The Committee will discuss the
parameters of a new tasking from the Coast Guard to provide
guidance/recommendations on cyber-security initiatives within the maritime
sector.” (77 FR
51817)

This wording would seem to indicate that there is a
potential to include control system security issues in the discussion as there
are a wide variety of water-side and shore-side control systems used in the ‘maritime
sector’. It would be particularly interesting to see if the discussion included
the cyber-security of various security systems.

Information Sharing

The Coast Guard probably has a better history of information
sharing about security matters than any other organization in DHS. This makes
it particularly interesting to see how the NMSAC uses the community feedback
that it has obtained to suggest further improvements in that information sharing
process.

Integration of Security Plans and Systems

Section 822 of the Coast
Guard Authorization Act of 2010 required that the owner/operator of an MTSA
covered facility (Congress did not include ‘vessels’ in this requirement) to “integrate,
to the maximum extent practical, any security system for the facility with
compatible systems operated or maintained by the appropriate State, law
enforcement agencies, and the Coast Guard” {46
USC §70102(c)(2)}.The Coast Guard is asking the NMSAC to help develop
guidance for implementing this rather vague requirement.

One would like to think that ‘integrating facility security
systems’ would include such things as linking alarm notifications (both
intrusion and chemical release) to local law enforcement and emergency response
dispatch centers, ensuring that first responders are familiar with local
facility procedures, and that emergency response plans are fully coordinated
and exercised with local authorities.

Public Participation

As we have come to expect with the NMSAC, there are multiple
modes available for public participation in this two-day meeting. First written
comments on the topics may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2012-0797). People may attend the meeting in person (limited
seating available, contact Mr. Ryan Owens, ryan.f.owens@uscg.mil), via
teleconference {(866) 810-4853; the pass code to join is 9760138#.}, or webcast
(http://connect.hsin.gov/nmsac91112/).
There will be a public
comment period at the end of each day’s session.

Friday, August 24, 2012

Yesterday the Office of Management and Budget announced that
the DHS Science and Technology Directorate (S&T) had withdrawn their
information collection request (ICR) supporting the on-line First Responders
Community of Practice being developed to establish “a collaborative environment
for the first responder community to share information, best practices, and
lessons learned” (76
FR 11254).

I
mentioned the publication of the 60-day notice of the intent to submit this
ICR over a year ago. I have still not seen any information on this program (but
I haven’t really looked for any either) beyond the two earlier Federal Register
publications. It sounds like a worthwhile information sharing exercise, but in
the current budget situation it is probably not being funded. That is a guess
on my part as the OMB notice does not provide any reason for the withdrawal of
this ICR.

I really hope that this ICR withdrawal is not due to a
cancellation of this program. First responders are the people that we count on
in any emergency to protect us from whatever danger is coming our way.
Generally speaking, these folks are under trained and underfunded, and their
professionalism is based, in large part, upon the experiences they have individual
accumulated over the years.

Fortunately, terrorist attacks, particularly those using
hazardous chemicals, are rare events. But that means that very few of our first
responders have the requisite knowledge of, or experience in, responding to
these events. Establishing a methodology for sharing that experience would be a
valuable tool for increasing the ability of these brave men and women to
appropriately respond when they are faced with these infrequent events.

Thursday, August 23, 2012

Today the Coast Guard published a temporary final rule in
the Federal Register (77 FR 50926-50929) concerning security zones for vessels
carrying certain dangerous cargo. This rule is being issued as part of the DHS
security support for the Republican National Convention taking place in Tampa,
FL from August 25, 2012, through August 31, 2012.

While the term ‘certain dangerous cargo’ (CDC) may apply to
a variety of extremely hazardous chemicals on vessels, the rule makes it clear
that it specifically applies to only to vessels carrying “carrying anhydrous
ammonia, liquefied propane gas, and ammonium nitrate” {77 FR 50927}. These
are common bulk chemicals that transit Tampa Bay. Such CDC vessels will be
escorted by Coast Guard vessels during their transit of the area.

Instead of requiring such CDC vessels to stay away from the
Port of Tampa Bay during the Convention, the rule establishes a moving security
zone around such vessels as they move through the Port area. The discussion in
the rule notes that:

“Security measures have been
limited to the minimum necessary to mitigate risks associated with the
identified threats.” {77
FR 50927}

Because of the short notice period, there has not been a
public comment period provided for this rule. Anyone with questions about the
rule should contact Marine Science Technician First Class Nolan L. Ammons; D07-SMB-Tampa-WWM@uscg.mil.

This is the third blog in a series taking a critical look at
the recent
Heritage Foundation report on the problems with the CFATS program. While
the report authored by Jessica Zuckerman is not up to the usual editorial
standards of the Heritage Foundation it does raise some interesting issues. The
earlier blog posts can be found here:

In this posting I will look at the “Calls for Further
Regulations” section of the Heritage Foundation report. Generally Ms. Zuckerman
gets the cart before the horse in this section and jumps to early conclusions
as has been her writing style throughout the report.

She opens her discussion by stating:

“In spite of the critical issues
that have ensued after the implementa­tion of the CFATS program, there have
been many calls for further regulation of the chemical sector. While generally
misguided, many of these measures have received a good deal of attention in
Congress.” (pgs 7-8)

Because she is a late comer to the chemical facility
security issue she just doesn’t realize that all of these calls for additional
regulation pre-date the formation of CFATS and form the basis for the political
wrangling that delayed chemical security legislation for so long and caused the
poorly conceived interim congressional authorization for the current program.

Regulation of Exempted Facilities

In this portion of the report Zuckerman identifies the five
categories of facilities exempted from CFATS coverage. She ignores the current
DHS efforts to harmonize chemical security coverage at two of these categories
(MTSA and NRC regulated facilities) and singles out water related facilities
for her examples of the errors of expanding the CFATS coverage.

She starts off her argument by stating that:

“These facilities currently fall
under the regulatory authority of the Environmental Protection Agency (EPA) and
are already subject to risk management and emergency plan­ning requirements
under the Safe Drinking Water and Clean Water Acts.” (pg 8)

There are two problems with this tired argument. First the
majority of the CFATS covered facilities also come under risk management and
emergency planning requirements under a variety of EPA and OSHA regulations. Of
course none of these cover prevention of terrorist attacks; that is why
chemical security regulations were deemed necessary.

Secondly, the weak and unenforceable (even if EPA did have
security inspectors) water security regulations only require larger water
facilities (with more than 3500 customers) to conduct a security vulnerability
assessment of threats to water quality. There are no security standards set with
which these facilities must comply and certainly no EPA effort to regulate the
security of toxic chemicals (principally chlorine gas, but a number of other
toxic release hazards as well) at these facilities.

She concludes with the tired argument that “any shutdown due
to regula­tory non-compliance would likely have large effects on public health
and well-being” (pg 8). The suggestion that DHS would shut down non-compliant
water treatment facilities is a non-argument that has been specifically
addressed in every legislative effort to add water treatment facilities to the
CFATS program.

Finally, Ms. Zuckerman ignores the most powerful argument
against adding the water treatment industry to the CFATS program. Such coverage
would more than double the number of facilities covered under the program with
the vast majority of those facilities falling under Tier 1 or Tier 2 coverage.
This would certainly exacerbate the current work-load problems ISCD is experiencing.

Of course, DHS is well aware of this problem and have
included in all of their latest suggestions for CFATS coverage of water
facilities that EPA actually take charge of the security at those facilities
using the CSAT tools for the administration of that program. Unfortunately, DHS
and EPA can begin working out the details of such a program but it would take
specific congressional authorization to implement as EPA has even less
authority to require security measures than does DHS.

Inherently Safer Technology Mandate

Zuckerman reports the rhetoric of the IST debate fairly
well. Unfortunately no effort was made to examine any of the actual legislative
proposals that have been submitted in either the House or the Senate over the
years. The political proponents of mandating the consideration of IST
implementation have been careful to moderate their proposals by having the
implementation requirements to be based upon the assessment of potential methods
done by facility management. Industry and its political supporters have
generally been unwilling to discuss how such proposals could be modified into a
workable proposal.

The report does briefly address the fact that a number of facilities
have already availed themselves of IST implementation measures to remove
themselves from the CFATS regulatory regime; noting that:

“In fact, more than 2,000 chemical
facili­ties are no longer deemed high-risk and are no longer subject to CFATS,
due to voluntary risk-reduction measures.” (pg 8)

She doesn’t address, however, the problem that ISCD doesn’t
have a formal mechanism for reviewing those changes to determine how those ‘risk
reductions’ were achieved. Many methods of risk reduction at a facility are
really nothing more than risk transfer; moving the risk to other manufacturing
facilities, storage facilities or transportation nodes. Other risk reduction
moves are little more than gaming the system like the industry change of a
standard 20% aqueous ammonia concentration to 19% to avoid the material being
covered under CFATS.

The issue of IST as a security measure is more complex than
the discussion provided in this report. It deserves a more detailed review that
provides both sides with a clearer understanding of the positions of the two
sides so that a compromise might be achieved in this area where there is
legitimate potential for gains in absolute security for many chemical
facilities.

EPA Authority Under the Clean Air Act

This final heading under the section concerning potential
legislation provides Ms. Zuckerman another chance to provide a superficial
examination of the rhetoric of the situation rather than address the actual
issues involved. She focuses on the fact that this suggested regulation is an
alternative method of enforcing IST requirements that are being politically
stalled in Congress, but fails to address the precarious legal justification
being used (see my more detailed discussion in my
blog post on HR 6345) to forward this proposal. She also fails to mention
that the proponents of this idea have gone beyond addressing a letter to the
President; there are reports that a formal petition has been filed with the EPA
requesting enforcement under the General Duty Clause.

The superficial discussion of the issues involved allows Ms.
Zuckerman to jump to another conclusion based upon facts not addressed in the
report. She closes this section by stating that:

“But, not only would the Clean Air
Act proposal undermine one of the few things CFATS gets right—the restriction
on the federal govern­ment from proscribing specific secu­rity measures—it would also likely impose overlapping and
confusing requirements and additional cost burdens [emphasis added] on
facilities already regu­lated by CFATS.” (pg 9)

While almost anyone in industry would agree with this
statement by Ms. Zuckerman there is nothing in the preceding paragraphs that
addresses these issues. A political commentator might be able to get away with
such a leap in a blog post or editorial, it is considered ill form in a
purported background information report.

Almost to the End

Well there is just one more section of this Heritage
Foundation report left to look at and I’ll cover it in a later blog.

Wednesday, August 22, 2012

I ran across the official job posting
on USAJobs.gov for the position of Deputy Director of ISCD last night during a
routine Google search. The posting was opened on August 15th and
closes on August 31st.Applications may be submitted on-line.

The job description is lengthy and includes all of the
typical bureaucratic requirements. For example the DD:

“Provides guidance and direction to
subordinates in the broad areas of Equal Opporuty(sic)/Equal Employment
Opportunity (EO/EEO), human resources programs, and employee development to
ensure ISCD's efforts in these areas achieve the goals of the designated
programs.”

There are a couple of interesting omissions in job
description and requirements. First there is no mention of having any
background in chemical security operations or planning or even any kind of
security enforcement. Oh well, I suppose that an executive at this level is
more of a program manager and doesn’t really need to know what the troops in
the field are doing. Then again, this may be why ISCD is clueless as to why the
SSP questionnaire is not eliciting the types of information needed for the
reviewers to authorize the SSPs; there is no one at the management level with
the requisite expertise to make that evaluation.

The second oddity is that the job description does not
include any mention of the Ammonium Nitrate Security Program. Now I know that
DHS is woefully behind schedule on completing this program, but this will
(maybe?) be an important part of the ISCD mission if the program ever actually
gets off the ground.

Anyway if you are an American Citizen and are looking for a
new job in the $119,554.00 to $179,700.00 per year range, take a look at this job posting.

I just allowed the posting of a real interesting anonymous comment
to my
earlier blog posting on Sen. Grassley’s (R,IA) letter to Sec. Napolitano
about mismanagement in ISCD. This new
comment maintains that Grassley has uncovered “yet another egregious abuse
of authority in the DHS Office of Infrastructure Protection”. As of midnight
EDT there was nothing on the Grassley web site about these claims.

This anonymous reader maintains that:

“The political assistant secretary
illegally removed his career deputy from office just before the 2008 election,
enabling him to move his unqualified crony into the CFATS Director position,
where she proceeded to practice more of the cronyism that got her there and to
waste hundreds of millions of dollars, all while falsely reporting compliance
with the law.”

Now if my memory (and a brief Google search) serves me
correctly, the Assistant Secretary for the Office of Infrastructure Protection
in 2008 was Robert Stephan, a Bush appointee. The ISCD Director would have been
Sue Armstrong.

It will be interesting to see if Sen. Grassley actually has
any information beyond the political cronyism charge. While we are supposed to
have mechanisms in place to ensure that such things as are being alleged here
never take place, no one with any experience in politics would be surprised if
such things actually did take place. What is interesting here is that the
cronyism started in the Bush Administration and continued into the Obama
Administration. That doesn’t seem to be strictly ‘political cronyism’.

I will make one comment on one of the charges here; that of “falsely
reporting compliance with the law”. If the anonymous reader is talking about
Ms. Armstrong’s testimony about the CFATS program before various Congressional
committees during her tenure as Director of CFATS, I don’t recall any of those
appearances where she claimed anything about the program that wasn’t
subsequently verified. The serious problems with the SSP authorization process
didn’t really happen on her watch.

In any case, if anything more comes of this it
will be just one more problem that the CFATS program will have to overcome in
the next year.

Yesterday ICS-CERT published another
alert for the RuggedCom Rugged Operating System that was based upon a vulnerability
that was publicly disclosed by Justin W. Clarke of Cylance Inc. The public
report (once again there is no link to the report and the Cylance web site is
very discrete) identifies a hard-coded RSA SSL private key vulnerability in the
RuggedCom ROS. This is the second serious vulnerability that Clarke has
identified in this system.

NOTE: Just got an email from Justin and he provides this information about why I can find no link to this public disclosure: "The reason there’s no link to the report is that the Friday disclosure was actually a live presentation at BSidesLA 2012 on Friday (http://www.securitybsides.com/w/page/36552449/BSidesLosAngeles). The relevant slides were written by me and presented by Stuart McClure, Founder/CEO of my employer. Former Global CTO of McAfee, and Founder/CEO of FoundStone (acquired by McAfee sometime after 2000)." So maybe ICS-CERT should have mentioned the BSidesLA 2012. Updated 8-22-12 0615 EDT.

The earlier
vulnerability report concerned an undocumented backdoor account in the
system. Clarke had attempted to coordinate the disclosure on the earlier
vulnerability but was rebuffed. It would be interesting to hear from Clarke if
he attempted a coordinated disclosure this time or if he just decided to go
directly to a public disclosure because of his past experience with RuggedCom.

It will be interesting to see how quickly RuggedCom responds
to this disclosure.

Monday, August 20, 2012

This is the second blog in a series taking a critical look
at the recent
Heritage Foundation report on the problems with the CFATS program. While
the report authored by Jessica Zuckerman is not up to the usual editorial
standards of the Heritage Foundation it does raise some interesting issues. The
earlier blog post can be found here:

In this post I will be looking at the discussion in the
Report under the heading of ‘Right in Principle, Wrong in Practice’. This
section looks at the program from the perspective of how well the CFATS
implementation has followed the four principles outlined by Under Secretary
Beers in his March
30th, 2011 testimony before the House Homeland Security
Committee (Oops, it was before the House Energy and Commerce Committee on March
31st, 2011 and the link provided in the report is bad, DHS web site
change not Ms. Zuckerman’s fault there, but the rest is just poor scholarship).

Cross-Collaboration

Zuckerman properly points out that the individual
facilities, the Federal government as well as State and local governments all
have interests in securing high-risk chemical facilities. She then takes the
CFATS program to task for centralizing the responsibility for security at the
Federal level. She notes that:

“The government must determine
facilities’ risk lev­els, set performance standards, and assess security plans
and compliance.”

Congress provided in §550 that DHS was supposed to develop a
security program targeted at just those chemical facilities that were
determined to be at the high risk for terrorist attack. Furthermore, the
program should be risk-based with the highest risk plants getting the earliest
attention. All of these require DHS to determine facility risk levels.

The performance standards were published by DHS as one would
expect since they would be judging if facilities met these performance standards
in the implementation of their security plans. DHS developed the standards in
conjunction with industry input and published a draft of the Risk-Based
Performance Standards. Extensive industry comments were received on that draft
(see my blog posts from 11-28-08,
12-05-08, 12-05-08,
01-09-09
and 01-13-09)
and were taken
into account when the final version was published.

Furthermore, DHS worked hand-in-hand with industry in
developing, fielding and modifying the Top Screen and Security Vulnerability
Assessment Tools. For both of these portions of the CFATS process the first ten
or so facilities to complete submissions had DHS personnel on site in the
information development and submission process to work out the inevitable bugs
in the system. The lessons learned in those shared submission efforts were put
into modifying the tools and documentation before those systems went live for
the remainder of the CFATS community. That this was not done in the SSP
submission process probably goes a long way to explain the problems in that
system.

Ms. Zuckerman closes this section by claiming that:

“Enhancing chemical security does
not mean that the private sector should yield its responsibil­ity to the
federal government.” (pg 5)

Nowhere in her arguments does she show where the private
sector has been required to yield its responsibility for the security of their
facilities. The CFATS program does not specify how a security program should be
put together, it simply provides standards by which the government will judge
the success of that program. That those standards are vague at best is at least
partially the responsibility of private industry. They were the ones that
demanded performance based standards and complained about anything coming close
to specifics in the draft version of the RBPS Guidance Document.

Risk-Based Tiering

Zuckerman takes DHS to task for not sharing the basis for
the Department’s risk tiering process, a complaint that has been made a number
of times over the years since the first NPRM was published for the CFATS
regulations. Actually this complaint has been combined with the lack of
openness about the process for establishing the ‘high-risk’ status of
facilities in the first place.

The report properly notes that the details of the
risk-ranking methodology is not shared with owners. This does not allow an
owner to do more than to make a reasonable guess as to what actions the
facility can take to have their Tier ranking lowered or even to be removed from
the CFATS list all together. There is a process in place to submit information
to have either the Tier ranking or CFATS listing reconsidered, but it is an
iterative process at best.

While I agree with Ms. Zuckerman’s assertion in this case,
she does her report ill service by not addressing, even in passing, the
reasoning that DHS has used to avoid publicizing the details of their
methodology. This lack of addressing opposing arguments is another of the
reasons that this Heritage Foundation report is probably more useful as a
political document than a real study of the issues involved.

Any discussion of the sharing of information about the
security tiering or assessment process must take into account the official DHS
response to such questions in the regulatory comment process. DHS outlines
their position quite clearly in the preamble to the Interim Final
Rule published in the Federal Register (72 FR 17700 – 17701).

Zuckerman also addresses the failure of DHS to share tiering
information with State and local authorities; stating that:

“In addition, first responders and
community leaders have also expressed concern about the lack of transparency of
facility tiering and risk assessments, citing the fact that the lack of
information sharing may impede emergency response and community preparedness.”
(pg 5)

While one might suppose that State and local officials might
want some input on the evaluation process of facilities within their
jurisdiction, the claim of lack of transparency of the facility tiering and
risk assessment process fails to address the efforts made to share that
information with local authorities. DHS has made it clear that facilities have
an inherent responsibility for coordinating with local emergency response
officials and provides the State Homeland Security Directors with access to an
online tool in CSAT to check on the CFATS status of chemical facilities within
the State.

Finally, Ms. Zuckerman takes DHS to task for the problem it
discovered last year in its risk model. While there should be some discussion
on the internal delays in responding to the discovery of the model discrepancy,
it really is disingenuous to complain about the problem with the model. Any
researcher or academic knows that a model is only an approximation of reality
and adjustments have to frequently be made to models to ensure their accurate
reflection of reality. ISCD should be commended on monitoring their system
closely enough to detect and correct the problem.

On an editorial note there are many claims of comments by
unnamed industry or local government officials within this section. The
footnotes to those claims almost uniformly point to the book “Chemical Facility
Security” by Shea, but not a single page citation is provided. This is just
another continuing example of the poor scholarship exhibited throughout this
work.

Performance Standards

Zuckerman’s section on performance standards, or more
appropriately the Risk-Based Performance Standards (RBPS) actually addresses
the core issue of the current ISCD problems. She acknowledges that the theory
behind the RBPS is good but notes that in practice “chemi­cal facilities have
largely been left uncertain over what is expected of them in meeting the DHS’s
stan­dards” (pg 6). Unfortunately, industry is largely to blame for these
problems. They insisted on risk-based performance standards instead of concrete
security measures and even convinced their politicians in Congress to prohibit
DHS from specifying any security measure as being necessary for SSP approval.

As I noted earlier, when DHS published the draft of
the RBPS Guidance document in October 2008, the industry comments came fast
and furious. While many of the comments were constructive the vast majority
were complaining that this or that was too specific and wouldn’t or shouldn’t
apply to their industry or company. Once again DHS gave in to the political
pressure (which is never mentioned in Ms. Zuckerman’s report), and produced a
very vague RBPS Guidance document.

Ms. Zuckerman blames the problem, in part, on the Chemical
Facility Security Inspectors (CFSI’s; oh, she never does use their proper
title; a small thing to be sure); noting that:

“Similarly, issues in training and
hiring capable and experienced inspectors has resulted in confusing and
conflicting feedback from ISCD inspectors in the course of pre-authorization
visits and authorization inspections.”

I’ll address the CFSI specific issues in a later post, but
this complaint (not unique to Zuckerman) misses the important point. In the
pre-authorization and Authorization inspections, the inspectors are just the
eyes and ears of the ISCD staff. It is that staff (and frequently contractors)
that never sees the facility that makes the decision on whether or not an SSP
is approved or not. Thus, the person the plant talks to is not the person
making the decisions.

DHS has tried to clarify this on a number of occasions, but
I seriously don’t think that it has really gotten through to the folks in the
inspected facilities. Thus this reported confusion in the field.Oh by the way, Ms. Zuckerman provides no
source for her comments about ‘confusing and conflicting feedback from ISCD
inspectors’.

Leveraging Existing Advancements

This section of the report deals with the usage of
‘Alternative Security Plans’ or ASPs. Ms. Zuckerman falls into the same
language trap that most people do when the discuss ASPs. When most of the chemical
industry talks about ASPs they mean security programs like the American
Chemistry Council’s Responsible Care Security program. This is a set of
standards along with a third party verification of compliance for security
related issues. When industry talks about ‘accepting’ such a plan it appears
that they mean the facility should be given credit for that plan when they have
been certified by the third party and DHS should accept that as an approved
SSP.

DHS, on the other hand misnamed their SSP; it is not a site
security plan. What the SSP is is a series of questions about the security set
up at a particular facility to determine if that security program meets the
requirements of the Risk-Based Performance Standards. DHS doesn’t care if the
security measures are part of another certified site security plan; great, just
so long as your answers to the questions show the facility meets the RBPS.

The problem is that ISCD does not have the time nor the
manpower to read the documents associated with a real security plan; a 100+
page document with annexes describing emergency response, personnel surety, key
control, etc. Adding a variety of formats from different security programs will
only add to that problem.

Ms. Zuckerman manifests her misunderstanding of the problem
by stating that:

“This lack of motivation on the
part of the DHS to seriously consider ASPs inhibits the ability of compa­nies
to continue to employ security measures in which they have already invested
time and effort, thereby discouraging the innovation and creative thinking that
have been critical to the security of the private sector in the past. As such,
it limits the field of security options to those rigidly established by the
federal government.” (pg 6)

Nothing that DHS is doing is limiting the ability of
facilities to continue to use existing security measures, either to completely
or partially fulfill their compliance with the 18 risk-based performance
standards set forth in the CFATS regulations. And DHS is specifically
prohibited from establishing rigid security options.

What industry really wants is for the currently established
voluntary security programs to be accepted without review by DHS. In essence
what they want is to have these third-party certification agencies to perform
the inherently governmental function of examining and approving the security
plan for CFATS covered facilities. Unfortunately, DHS has been given the responsibility
for performing this function and does not have authority to transfer that responsibility
to a private sector entity (okay, we’ll ignore for the moment that they are
using contractors for the information processing necessary to make that
decision; oh, that isn’t in the Heritage Foundation report).

In the closing paragraph in this section of the report Ms.
Zuckerman brings up an interesting point that I must admit I haven’t seen
mentioned in reference to the CFATS program. She mentions that “the department
should encourage companies to apply for certification under the Support
Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002”.
Actually I have heard of the SAFETY Act program and I seem to recall that it is
run by DHS S&T, not NPPD.

Still if NPPD could identify areas where new technology
would benefit facilities covered under the CFATS program, it would certainly be
helpful if a SAFETY Act program could be put together to fulfill that need.
Okay, I’ll remake a suggestion here; chemical facility response forces need a
weapon that can be used to stop violent attackers without posing a safety
hazard when used within the high-risk environment of a chemical facility. Sorry
that’s a pet peeve of mine and doesn’t really have anything to do with the
review of this report. It won’t happen again.

Other Critical Concerns

This section deals with the issues raised in the
so called Anderson memo that was made public last December. Ms. Zuckerman has
had no more access to that memo than have any of the rest of us that have
commented on the problems at ISCD. So I’ll give her a pass on all of the errors
in this section as they are the same ones that just about everyone has made.
She has no background working with this program so she can only repeat the same
unfounded charges.
See my
blog post from last December on my reporting on the ISCD issues.

To be sure, for a one page handout this does a fairly good
job of presenting interesting information about the threat to ICS security. The
limited list of potential threat indicators does provide a start to awareness,
but it is hardly comprehensive. It also assumes a level of security awareness (eg:
no explanation what a ‘targeted phishing email’ is) that may not be
appropriate.

They probably could have done without the “How Do They Work”
section as it doesn’t provide much in the way of information about threat
indicators. The space could have been put to better use describing some recent
attacks.

The biggest problem with this hand-out is that it is
obviously a draft that should never have seen publication. The contact
information for the FBI’s Cyber Task Force is completely missing.

If anyone has seen a more properly vetted version of this
sheet, please let me know. It’s not much but it could be of some limited use in
communicating information to people in the control system community.

There is an interesting
article over on PCWorld.com about a pending change in the NIST standards
for federal web site security protocols. The current standard is the use of Transport Layer Security (TLS 1.0). NIST
is expected to change that to TLS 1.1 and/or 1.2. Now most Federal web sites do
not require security settings as they are one-way information providers. Sites
providing secure communications (like the CSAT tool) will be affected by this
change.

We can be fairly
sure that the folks at ISCD will make an announcement when this change is
applied to their CSAT sites. In the meantime it makes sense to verify that the
computers that you used to communicate with CSAT are all capable of using TLS
1.1 or 1.2. Check the “Security Settings” under the “Advanced” tab on the
Internet Options on Internet Explorer (I’m sorry I don’t know the technique for
other browsers; I continue my love-hate relationship with MS).

Sunday, August 19, 2012

As I
promised earlier this week I am taking a closer look at the report
issued earlier this week by the Heritage Foundation on the CFATS program.
Jessica Zuckerman presents an overview of the CFATS program that presents a
newspaper style review of the program problems and concludes that the program
is too complex and overly burdensome. Unfortunately she is weak on the program
details, glosses over some real problems, and provides little in the way of
details that would actually contribute to the discussion much less justify her
conclusions that the CFATS program should be eliminated.

This is the first in what is going to end up being a
multi-part look at the Heritage Foundation Report and the real problems with the
CFATS program.

CFATS Background

Ms. Zuckerman presents a brief history of the events leading
up to the adoption of the authorization of the CFATS program by §550 of the Department
of Homeland Security Appropriations Act of 2007. She starts as do most
commentators with the Bhopal disaster, but only lists the 1990 Clean Air Act
Amendment containing the General Duty Clause as a legislative response to that
incident, ignoring the legislation dealing with community right-to-know,
emergency planning and process safety management. A number of the current
problems in the CFATS program can be traced back to these pieces of legislation
and the government’s inability, for both technical and political reasons, to
provide for proactive inspection forces to oversee the implementation of those
rules.

The Report goes on to look at the political conflict that
prevented the establishment of a comprehensive chemical security program.
Unfortunately, Ms. Zuckerman only mentions (without ever providing the name or
bill number; S 1602,
the Chemical Security Act of 2001) the original legislation proposed by
Sen. Corzine (D,NJ), but never mentions the alternative proposals that did not
contain inherently safer technology proposals (such as Sen. Inhofe’s (R,OK) S
993, the Chemical Facilities Security Act of 2003).

Thus she provides only a one-sided view of the debate that
held up passage of any chemical security legislation until §550 provided for an
interim final rule (IFR) that resulted in the CFATS program. This provision for
an IFR clearly indicated that Congress was cobbling together a short-term
measure that would be replaced at some later date by more comprehensive
legislation. Many of the problems of the current program can be traced back to
this ‘interim’ nature of the legislation.

She also ignores the political implications of establishing
a chemical security program through a short paragraph in an appropriations
bill. This has provided for a singular lack of Congressional oversight of the
program because there is no clear delineation of which House committee would be
responsible for that oversight.

‘Overly Burdensome’

The Zuckerman report provides an adequate overview of the
CFATS program under a section entitled ‘Overly Burdensome and Confusing
Standards’. This conclusive (and misleading) section title is a perfect example
of the low standards of scholarly work exhibited throughout this report. She
starts in the opening paragraph by describing the current ‘chemical terrorism
threat’ by claiming that:

“Indeed, of the 51 publicly known Islamist-inspired
thwarted terrorist plots against the United States since 9/11, at least three
have involved chemical facilities or the diversion of potentially dangerous
chemicals.” (pgs 2-3)

She cites no source for these numbers nor does she even
provide a footnote with a brief description of the three chemical related
attacks. Now I have been following chemical security issues for some time now
and I don’t recall any publicly-acknowledged thwarted-attacks on any chemical
facilities. The closest that I can remember is the plot on the New York airport
fuel lines, hardly a chemical facility under any of the currently accepted
definitions.

Then before she can even begin to describe the current
program she concludes that:

“While a degree of government
oversight over chemical security is needed, current standards are exceedingly
burdensome and com­plicated, and overprescribe federal solutions with which the
private sec­tor must comply, threatening innova­tion and economic expansion.”
(pg 3)

Zuckerman does provide a reasonably concise explanation of
the four stages of the CFATS process. Her description continues to pre-judge
the process, however, starting her description by stating that:

"Currently, CFATS requires
that each facility undergo a complicated and often confusing four-step pro­cess,
any aspect of which the facility can be required to repeat, should its chemical
supplies change….” (pg 3)

This statement clearly exhibits her misunderstanding of both
the CFATS process and the nature of the chemical industry and the potential
threats that it faces. She clearly misunderstands that chemical facilities are
not what are really at risk of terrorist attack (or at least not more so than
any other critical infrastructure facility); but that terrorists would attack chemicals
produced, used or stored at those facilities to achieve an even larger chemical
munitions effect on the surrounding community.

Tier Ranking Confusion

She is a little loose in her description of the Tier ranking
process, but it isn’t clear if this is because of a fundamental
misunderstanding of the process or poor writing skills. In describing the
Top-Screen process she states that:

“These facilities then received an
ini­tial risk ranking, with Tier 1 indicat­ing the highest level of risk and
Tier 4 the lowest.” (pg 3)

DHS clearly refers to this as a ‘preliminary’ Tier ranking
in their discussion of the Top Screen results. The difference between ‘preliminary’
and ‘initial’ may seem to be nit-picking on my part, but she later exemplifies
her apparent confusion when she states in her description of the SVA process
that:

“From the submitted SVA informa­tion,
the DHS ultimately determined that 4,569 of the more than 7,000 initial
facilities should in fact be des­ignated high-risk, and gave them a
preliminary-tier or final-tier ranking.”

A misunderstanding of such a simple yet important part of
the CFATS process exemplifies a low level of process knowledge that brings the
remainder of her critique into question.

SSP Preauthorization Visit

In her description of the SSP ‘Authorization and Compliance’
step of the CFATS program, Ms. Zuckerman glosses over the first indication of
the current problems with the CFATS program. She describes the SSP approval
process this way:

“In order for an SSP to be approved
and a facility to be considered fully CFATS-compliant, the ISCD must conduct a
pre-authorization visit and an authorization inspection.”

There is nothing in the CFATS regulations or SSP
documentation provided by ISCD that describes the use of or requirement for a ‘pre-authorization
visit’. This was a compliance tool that DHS added when it became clear that the
information being submitted in the SSP process by facilities was inadequate for
judging the compliance of SSP with the Risk-Based Performance Standards. The
addition of this ‘visit’ as part of the compliance process was the first real
indicator that we had about the current problems with the CFATS process.

Misses the Program Strengths

While Ms. Zuckerman’s description of the CFATS process is
adequate, as part of a serious look at the efficacy of the regulatory regime it
falls well short of being comprehensive. There is no description of the
development of the Chemical Security Assessment Tool, the series of on-line tools
that allow for the electronic submission of information to DHS. The success of
the tools for the Registration, Top Screen and Security Vulnerability
Assessment is often overlooked in critical reviews of the CFATS program.

The use of the Registration and Top Screen tools made it
relatively easy for facilities that met the initial operational definition of a
potentially at-risk chemical facility (possession of a significant quantity of
potentially hazardous chemicals) to submit the required information to allow
DHS to remove the vast bulk of those facilities from further consideration
under the CFATS program.

Furthermore, the internal computer-based modeling made the
complex decision-making process based upon the Top Screen information much more
efficient. The process of whittling down the initial 38,000 facilities to
little more than 7,000 potentially at risk facilities was accomplished in
remarkably short order, a process that couldn’t have been done in nearly the
same amount of time, or by the same small staff, by the old-fashioned paper-based
information submissions.

The Top Screen tool and the ISCD modeling work do not get
near the credit that they deserve in the CFATS process. The SVA submission tool
provided another innovative information submission and analysis capability that
Ms. Zuckerman can only find fault with because it might take as much as 250
hours to complete. She also notes that that is a DHS pre-implementation
estimate and forgets to mention that there has been no effort to document the actual
amount of time that it took facilities to complete their submissions.

Furthermore, it is clear to anyone that has looked at the
CFATS process in any detail that the success of the Top Screen and Security
Vulnerability Assessment tool inevitably led the leadership at ISCD to try to
extend that methodology to a process that was so much more complex that the
same type tools could not provide the level of information necessary to
adequately judge the level of compliance with the established RBPS.

Again, Ms. Zuckerman’s misunderstanding of the strengths and
weaknesses of this program weaken the importance of the conclusions that she
draws; conclusions that I will address in subsequent blog posts.

About Me

Patrick Coyle is a freelance writer dealing with chemical security and safety issues. He has 15 years experience in the US Army with extensive experience in training development, delivery and evaluation. He spent 20 years working in the chemical process industry developing and improving chemical manufacturing processes with a large emphasis on chemical and process safety. He currently writes a daily blog, the Chemical Facility Security News, examining the issues associated with the Chemical Facility Anti-Terrorism Standards administered by the Department of Homeland Security.